create-qa-architect 5.0.7 → 5.4.3

package/lib/github-api.js

@@ -6,6 +6,63 @@
 const https = require('https')
 const { execSync } = require('child_process')
 
+// TD5 fix: Simple rate limiter for GitHub API
+// GitHub allows 5000 requests/hour for authenticated requests
+const rateLimiter = {
+  tokens: 100, // Start with 100 tokens
+  maxTokens: 100,
+  refillRate: 100 / 3600, // Refill ~100 tokens per hour
+  lastRefill: Date.now(),
+  minDelayMs: 100, // Minimum delay between requests
+
+  async acquire() {
+    try {
+      // Refill tokens based on time elapsed
+      const now = Date.now()
+      const elapsed = (now - this.lastRefill) / 1000
+      const refilled = elapsed * this.refillRate
+
+      // DR5 fix: Validate math to prevent NaN/Infinity
+      if (!Number.isFinite(refilled) || refilled < 0) {
+        console.warn('⚠️  Rate limiter math error, resetting')
+        this.tokens = this.maxTokens
+        this.lastRefill = now
+        return
+      }
+
+      this.tokens = Math.min(this.maxTokens, this.tokens + refilled)
+      this.lastRefill = now
+
+      // If we have tokens, use one
+      if (this.tokens >= 1) {
+        this.tokens -= 1
+        return
+      }
+
+      // Wait before allowing request
+      const waitTime = Math.max(
+        this.minDelayMs,
+        ((1 - this.tokens) / this.refillRate) * 1000
+      )
+
+      // DR5 fix: Validate waitTime before setTimeout
+      if (!Number.isFinite(waitTime) || waitTime < 0 || waitTime > 60000) {
+        console.warn(
+          `⚠️  Rate limiter computed invalid wait time: ${waitTime}ms, using minimum`
+        )
+        await new Promise(resolve => setTimeout(resolve, this.minDelayMs))
+      } else {
+        await new Promise(resolve => setTimeout(resolve, waitTime))
+      }
+
+      this.tokens = 0
+    } catch (error) {
+      // DR5 fix: Don't block on rate limiter errors, just log and proceed
+      console.error(`❌ Rate limiter error: ${error.message}`)
+    }
+  },
+}
+
 /**
  * Get GitHub token from environment or gh CLI
  */
@@ -15,12 +72,21 @@ function getGitHubToken() {
     return process.env.GITHUB_TOKEN
   }
 
-  // Try to get from gh CLI
+  // Try to get from gh CLI (hardcoded command - no injection risk)
   try {
     const token = execSync('gh auth token', { encoding: 'utf8' }).trim()
     if (token) return token
-  } catch {
-    // gh CLI not available or not authenticated
+  } catch (error) {
+    // Silent failure fix: Log unexpected errors for debugging
+    // ENOENT = gh not installed (expected), other errors should be visible in DEBUG mode
+    if (
+      error?.code !== 'ENOENT' &&
+      !error?.message?.includes('command not found')
+    ) {
+      if (process.env.DEBUG) {
+        console.warn(`⚠️  gh auth token failed: ${error.message}`)
+      }
+    }
   }
 
   return null
@@ -28,6 +94,7 @@ function getGitHubToken() {
 
 /**
  * Get repository info from git remote
+ * Uses hardcoded git command - no injection risk
  */
 function getRepoInfo(projectPath = '.') {
   try {
@@ -45,15 +112,50 @@ function getRepoInfo(projectPath = '.') {
     }
 
     return null
-  } catch {
+  } catch (error) {
+    // Silent failure fix: Log unexpected errors for debugging
+    // "No such remote" is expected when origin isn't configured
+    if (
+      !error?.stderr?.includes('No such remote') &&
+      error?.code !== 'ENOENT'
+    ) {
+      if (process.env.DEBUG) {
+        console.warn(`⚠️  git remote get-url failed: ${error.message}`)
+      }
+    }
     return null
   }
 }
 
 /**
- * Make GitHub API request
+ * Sanitize error messages to remove sensitive tokens
+ * DR29 fix: Prevent token exposure in error messages
+ */
+function sanitizeError(error, token) {
+  if (!error || !token) return error
+
+  const message = error.message || String(error)
+  // Use string replace with global flag instead of RegExp to avoid security warning
+  const sanitized = message.split(token).join('***REDACTED***')
+
+  if (error instanceof Error) {
+    const sanitizedError = new Error(sanitized)
+    sanitizedError.stack = error.stack?.split(token).join('***REDACTED***')
+    return sanitizedError
+  }
+
+  return new Error(sanitized)
+}
+
+/**
+ * Make GitHub API request with rate limiting
+ * TD5 fix: Added rate limiting to prevent hitting GitHub's API limits
+ * DR29 fix: Sanitize errors to prevent token exposure
  */
-function githubRequest(method, path, token, data = null) {
+async function githubRequest(method, path, token, data = null) {
+  // TD5 fix: Acquire rate limit token before making request
+  await rateLimiter.acquire()
+
   return new Promise((resolve, reject) => {
     const options = {
       hostname: 'api.github.com',
@@ -77,23 +179,46 @@ function githubRequest(method, path, token, data = null) {
       res.on('data', chunk => (body += chunk))
       res.on('end', () => {
         if (res.statusCode >= 200 && res.statusCode < 300) {
-          resolve({
-            status: res.statusCode,
-            data: body ? JSON.parse(body) : null,
-          })
+          // DR12 fix: Handle JSON parse errors gracefully
+          try {
+            const data = body ? JSON.parse(body) : null
+            resolve({ status: res.statusCode, data })
+          } catch (_error) {
+            // DR29 fix: Sanitize error before rejecting
+            reject(
+              sanitizeError(
+                new Error(
+                  `GitHub API returned invalid JSON (status ${res.statusCode}): ${body.slice(0, 100)}`
+                ),
+                token
+              )
+            )
+          }
         } else if (res.statusCode === 204) {
           resolve({ status: 204, data: null })
         } else {
+          // DR12 fix: GitHub errors are usually JSON, but handle parse failures
+          let errorBody = body || res.statusMessage
+          try {
+            const errorData = JSON.parse(body)
+            errorBody = errorData.message || errorBody
+          } catch (_error) {
+            // Use raw body if JSON parse fails
+          }
+
+          // DR29 fix: Sanitize error before rejecting
           reject(
-            new Error(
-              `GitHub API error: ${res.statusCode} - ${body || res.statusMessage}`
+            sanitizeError(
+              new Error(`GitHub API error: ${res.statusCode} - ${errorBody}`),
+              token
             )
           )
         }
       })
     })
 
-    req.on('error', reject)
+    // DR29 fix: Sanitize network errors
+    req.on('error', error => reject(sanitizeError(error, token)))
 
     if (data) {
       req.write(JSON.stringify(data))

package/lib/license-signing.js

@@ -0,0 +1,125 @@
+'use strict'
+
+const crypto = require('crypto')
+
+// TD15 fix: Single source of truth for license key format validation
+const LICENSE_KEY_PATTERN =
+  /^QAA-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}$/
+
+/**
+ * Deterministic JSON stringify with sorted keys for signature verification.
+ * TD13 fix: Added circular reference protection using WeakSet.
+ */
+function stableStringify(value, seen = new WeakSet()) {
+  if (value === null || typeof value !== 'object') {
+    return JSON.stringify(value)
+  }
+  // TD13 fix: Detect circular references to prevent stack overflow
+  if (seen.has(value)) {
+    throw new Error('Circular reference detected in payload - cannot serialize')
+  }
+  seen.add(value)
+
+  if (Array.isArray(value)) {
+    return `[${value.map(item => stableStringify(item, seen)).join(',')}]`
+  }
+  const keys = Object.keys(value).sort()
+  const entries = keys.map(
+    key => `${JSON.stringify(key)}:${stableStringify(value[key], seen)}`
+  )
+  return `{${entries.join(',')}}`
+}
+
+/**
+ * Normalize and validate email format
+ * DR21 fix: Added email format validation before hashing
+ * @param {string} email - Email address to normalize
+ * @returns {string|null} - Normalized email or null if invalid
+ */
+function normalizeEmail(email) {
+  if (!email || typeof email !== 'string') return null
+  const normalized = email.trim().toLowerCase()
+
+  // Basic email format validation (RFC 5322 simplified)
+  // Must have: local@domain.tld format
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/
+
+  if (!emailRegex.test(normalized)) {
+    return null
+  }
+
+  return normalized.length > 0 ? normalized : null
+}
+
+function hashEmail(email) {
+  const normalized = normalizeEmail(email)
+  if (!normalized) return null
+  return crypto.createHash('sha256').update(normalized).digest('hex')
+}
+
+/**
+ * Build a license payload for signing/verification.
+ * TD14 fix: Added input validation to prevent signature mismatches from invalid data.
+ */
+function buildLicensePayload({
+  licenseKey,
+  tier,
+  isFounder,
+  emailHash,
+  issued,
+}) {
+  // TD14 fix: Validate required fields to catch issues early
+  if (!licenseKey || typeof licenseKey !== 'string') {
+    throw new Error('licenseKey is required and must be a string')
+  }
+  if (!tier || typeof tier !== 'string') {
+    throw new Error('tier is required and must be a string')
+  }
+  if (!issued || typeof issued !== 'string') {
+    throw new Error('issued is required and must be a string')
+  }
+
+  const payload = {
+    licenseKey,
+    tier,
+    isFounder: Boolean(isFounder),
+    issued,
+  }
+  if (emailHash) {
+    payload.emailHash = emailHash
+  }
+  return payload
+}
+
+function signPayload(payload, privateKey) {
+  const data = Buffer.from(stableStringify(payload))
+  const signature = crypto.sign(null, data, privateKey)
+  return signature.toString('base64')
+}
+
+function verifyPayload(payload, signature, publicKey) {
+  const data = Buffer.from(stableStringify(payload))
+  return crypto.verify(null, data, publicKey, Buffer.from(signature, 'base64'))
+}
+
+function loadKeyFromEnv(envValue, envPathValue) {
+  if (envValue) return envValue
+  if (envPathValue) {
+    const fs = require('fs')
+    if (fs.existsSync(envPathValue)) {
+      return fs.readFileSync(envPathValue, 'utf8')
+    }
+  }
+  return null
+}
+
+module.exports = {
+  LICENSE_KEY_PATTERN,
+  stableStringify,
+  normalizeEmail,
+  hashEmail,
+  buildLicensePayload,
+  signPayload,
+  verifyPayload,
+  loadKeyFromEnv,
+}